I'm creating an API with graphql and Prisma and have been following this tutorial for tips and trix: https://www.howtographql.com/graphql-js/6-authentication/. When they reached authorization they opted not to use middleware like passport.js but instead wrote their own logic as you can see in the link. I'm simply wondering why and if this solution is lacking in a security perspective?
passport is really handy if you want to setup facebook, twitter and google auth. For simple password login just write your own functionality, it is simpel todo and gives you full control.
Related
I'm relatively new to the modern JavaScript web development world. I've built a very simple Node/Express back-end and a separate React front-end. My vague plan is to have users that will have permission to access certain areas of the front-end, and then have the front-end make requests to the back-end. Can the front-end and back-end share the same authentication/authorization scheme? Can they both use something like Auth0? How can I make these two secure?
I'm a little stuck and would appreciate any advice or a nudge in the right direction. I'm mostly stuck because these are two separate applications but the same "user" would technically have permissions to certain React views as well as certain Express endpoints - how they moosh together?
Thanks.
Although seems not directly related to your topic, but I would actually suggest you try Meteor if you are not planning to immediately start working on large projects (not pressing too hard on scalability).
Meteor has a builtin support for Accounts and interacts with MongoDB nicely, and it also has its own DDP protocol that simplifies API call massively. It also interacts nicely with React.
If you think Meteor might not be a good choice for yourself, you could still learn from its design policies of authorization, etc. It has quite a bit package source code that are not too difficult to understand, and should be helpful for you to learn the basic idea. (Actually, Meteor's Accounts package already implements the basic idea mentioned by another answerer, you can learn from its design principles)
When users log in to your site, issue them with an access token that they keep client side. On front-end, check if user has token and correct permissions before rendering components. On back-end, send the token as request headers to the endpoints.
I have implemented a similar case, but with the spring boot kotlin at the backend instead. My solution is using JWT token to validate the authentication and authorization.
User logins by input login form and send POST method to backend via a REST API.Backend validates credential and returns the JWT token including encrypted user_role, expiration date, etc... if valid or 403 exception
Front-end decodes the JWT (using jwt-decode lib or something else),
save it to validate the access permission to specific page in the
website based on user_role. Eg: role='ADMIN' can access to admin dashboard page, role='USER' can access user profile page, etc.
If you use express as the backend, I suggest to use the feathersjs. It has backend solutions for this and an optional front end version. Refer: https://docs.feathersjs.com/api/authentication/jwt.html
Secure Front end (React.js) and Back end (Node.js/Express Rest API) with Keycloak follow this
I am wondering why I cannot find any AOR and passport auth code online? I found a ton of keystone and passport though... Is there a specific reason for that - the two should work well together, right?
You're right, there is no reason admin-on-rest would not work with passport -- however, there is a caveat:
It seems you are searching for a "passport + AOR" tutorial or guide, but one of the selling points of admin-on-rest is that it is truly agnostic to any authentication implementation. Therefore, you would implement a passport strategy of your choosing (jwt, oauth, http basic) within admin-on-rest's authClient.js
https://marmelab.com/admin-on-rest/Authentication.html
I'm writing my first Express NodeJS app and I want to know what is the best practice when it comes to authentication middlewares?
I'm using access tokens and cookies (which are composed from user id and some random bytes) for each new user, and for some routes I want only given users to have access to it.
Is a good idea to access database from a middleware? Or where should I check if a given user has access to a given resource?
Thank you!
There are many modules built for authentication purpose for nodejs applications. However, the most commonly used module for nodejs/expressjs is Passport. If you wish to stay isolated from such libraries, nodejs has built-in libraries for encryption etc, for example, check this out.
For sessions and cookies, using signed cookies is always a good practice. Check out this SO post. There are many good practices for maintaining security (say, using https over http, token based authentication, etc.) followed throughout the development grounds, which you'll learn as you go on. Here is a short tutorial of JWT(JSON Web Tokens) for a good introduction to token based authentication in JSON you can check out.
Happy coding :)
What is the best way to implement user login system for website in hapi.js framework ?
I have searched a lot through the internet but I still don't know which module I should use to implement such authentication. I prefer using passport but the documentation for passport and hapi is so brief. Can anyone suggest me any module? Or a detailed documentation for passport and hapi.js ?
Thank you
If you're looking to do basic authentication, take a look at hapi-auth-basic. Alternately, you may wish to look at hapi-auth-cookie.
If you're looking for third-party login via oAuth there is Bell.
For more on authentication with Hapi take a look at the tutorial on hapijs.com.
I was looking for a solid example or to be pointed in the right direction of how to simulate testing Passport-Facebook's login process. Completely clueless as where to start.
I'm open to any testing framework.
Best,
Austin
While Passport documentation provides a crude/basic example for use Passport-Facebook strategy
http://passportjs.org/docs/facebook
You may like to have a look at this tutorial from scoth.io for detailed example, it teaches you how to authenticate via facebook, twitter and google+ using Node.js and respective strategies. You'll have to follow the first two lessons to achieve your goal
https://scotch.io/tutorials/easy-node-authentication-setup-and-local